A customer swipes his credit card to pay for a television doorbuster deal at a Target store in Burbank, Calif., on Nov. 22, 2012.
It looks like hackers hit the bulls-eye with the recent unprecedented hack of Target credit and debit card information.
Not only was the digital heist huge — up to 40 million consumers might have had their data stolen — but the degree of difficulty indicates another step in the security arms race between criminals and merchants.
The hack affected customers who shopped at U.S. Target retail stores between Black Friday, Nov. 27, and Dec. 15, security researcher Brian Krebs first reported on his blog on Wednesday. That report was confirmed by Target in an official statement on Thursday.
"I don't know how they did it," James Wester, research director of IDC Financial Insights, told NBC News. Normally, hackers attack databases where credit card information is stored, which is where most companies put their security resources. Those types of attacks, Wester said, are difficult enough.
This latest incident, however, likely involved an attack on Target's point-of-sale (POS) system, most security experts agreed, meaning that customer information was probably sent directly from the store's mounted cash registers to the hackers themselves, probably due to malicious software.
"That is what is kind of mystifying at this point," Wester said. "It seems like from a security standpoint, Target was doing all of the right things, and somehow this code was put on the POS system, which isn't a normal access point for hackers."
Why would that be so bad? Because hackers could get their hands on what's called "track data," which is transmitted every time a card's magnetic strip is swiped. That information includes a cardholder's name, a service code used to identify international transactions, and the credit card's number and expiration date.
Merchants like Target, as well as payment processors that store customer data for smaller businesses, aren't legally allowed to store CVV information in their databases.
With that information, criminals don't have to go through the trouble of manufacturing counterfeit credit cards, Dave Lott, retail payments risk expert at the Federal Reserve Bank of Atlanta, told NBC News. For only about $100, criminal outfits can buy equipment that allows them to print out cards for people to use at cash registers anywhere, and never be bothered for a CVV code.
Instead, codes in-hand, criminals can simply purchase things online, often waiting months to use credit card numbers so that customers drop their guard after the media attention over a security breach has died down.
"These are often very well-organized, multinational outfits," Lott said. Criminal organizations can also sell the data on the black market, where credit card numbers have fetched $1 apiece — not a small haul when multiplied by the thousands or millions.
While it's unclear whether the number of credit and debit card hacks have increased over recent years, Lott said, the size of the breaches has increased as criminals look to make the risk associated with hacking sophisticated security measures worth their while.
Target has not commented on how the breach was discovered or whether hackers did in fact infiltrate its POS system.
"I can’t comment on the specifics, but can share that payment data that could have been exposed could include a person’s name, CVV, account number and expiration date," Molly Snyder, a Target spokesperson, told NBC News in an email, adding only that the company knew of the breach "as of Dec. 15."
Merchants or payment processors usually discover that they have been hacked after running their own security audits or noticing a spike in fraudulent transactions, multiple security experts said.
Insiders like Krebs often know about the breaches before the public does because they are constantly talking to the financial institutions that issue credit and debit cards, as well as approve or deny transactions from merchants, Shirley Inscoe, a senior analyst at the Aite Group, told NBC News. Inscoe herself said that financial executives told her about a major data breach involving Target earlier in the week, before news of the incident broke.
Krebs did not respond to a request for comment from NBC News.
Security experts have been pushing for adoption of EMV standards, which require cards that generate a different code each time they are used. The U.S. government is pushing for businesses to start installing EMV terminals by 2015, although adoption of the standard is voluntary. In the 12 months leading up to June 2013, after Australia implemented EMV standards, fraudulent charges from counterfeit cards dropped by 29 percent, according to a report from the Australia Payments Clearing Association.
Until then, U.S. law enforcement officials will continue to go after the sites that sell stolen data and the people who use fake cards. Unfortunately, said Inscoe, the shadowy global criminal outfits that hack customer information are difficult to track down.
"The mules who use the credit cards might be arrested, but the kingpins behind the activity are rarely caught," she said. "And if they are, there is always someone ready to step into their shoes."
Keith Wagstaff writes about technology for NBC News. He previously covered technology for TIME's Techland and wrote about politics as a staff writer at TheWeek.com. You can follow him on Twitter at @kwagstaff and reach him by email at: Keith.Wagstaff@nbcuni.com
First published December 19 2013, 12:23 PM